Sign up for our weekly security newsletter

QuickTime Flaw Poses Risk to Mac & Windows Systems

In a demonstration by the security researcher Petko D. Petkov, it was shown how vulnerability in QuickTime media player of Apple software can lead Firefox browser to plant backdoors and other types of malware on a system even if it is fully patched. Petkov said the flaw affects both Mac and Windows systems.

On September 12, 2007, the researcher posted a proof-of-concept code on the Internet to demonstrate how the exploit enables to execute privileged code on an unsuspecting user's PC. The XML code introduces foo.mp3, a file that QuickTime supports and which is not found on the affected PC.

The proof-of-concept makes an impact on Mozilla's chrome engine. The flaw in QuickTime affects all versions of Internet Explorer (IE). However, the impact it makes is less severe because of the strict security policies by IE for scripts regarding local zones, Petkov said in a statement as published by Builderau on September 13, 2007. The proof-of-concept also shows how apparently less critical security holes, when combined with other flaws, can be enlarged to become major issues. He added that old QuickTime was not worth repairing when Apple security wonks figured this year.

The code subsequently prompts QuickTime to load another file on the victim's computer. Since QuickTime is not choosy about the URLs it transfers to Firefox, there is no restriction on attackers to include any address using Firefox's chrome component in order to execute privileged code on an affected PC. By exploiting the vulnerability, the attacker can easily download spyware, adware, rootkit and such kinds of malware on a victim's system within seconds.

The vulnerability is also flawed in the manner by which QuickTime loads XML files containing links to video or audio media and meta-data that pretend to be the real file. It is also possible to insert JavaScript into the XML file attributes, which runs by default on opening the file. QuickTime allows transparent use of these files where media files are used and because of that, the exploit code could infect any video or audio file like mpg, mp3, png and avi that QuickTime intends to run. The blog that published the security hole contains 42 different file extensions that have been affected.